einundzwanzig-app

einundzwanzig/einundzwanzig-app

Fork 0

mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git synced 2026-05-05 17:04:54 +00:00

Commit Graph

Author	SHA1	Message	Date
Claude	9b81f6cd92	security: high-severity fixes (api throttle, fillable, idor, path, rel) - Add 60 req/min throttle to the public API group and a stricter 10 req/min throttle to POST /highscores. - Replace mass-assigned $guarded=[] with explicit $fillable on User, Meetup, Course, Lecturer, and SelfHostedService. created_by stays out of the whitelist; the existing creating() hooks continue to populate it. - Require authenticated user on Api/MeetupController::index instead of trusting the user_id query parameter (IDOR). - Constrain the /img and /img-public route paths to a safe character set and reject any path containing ".." in ImageController. - Add rel="noopener noreferrer" to every target="_blank" link on the meetup and course landing pages.	2026-05-03 12:55:09 +00:00
HolgerHatGarKeineNode	efe44cf344	✨ Add storage configuration, localization updates, and feed generation - Added `publicDisk` configuration to `filesystems.php`. - Expanded locale translations in `es.json` and `de.json`. - Implemented RSS, Atom, and JSON feed views. - Added `feed.php` configuration for feed generation. - Introduced `ImageController` for image handling. - Updated application routing to include `api.php`.	2025-11-21 16:23:55 +01:00

Author

SHA1

Message

Date

Claude

9b81f6cd92

security: high-severity fixes (api throttle, fillable, idor, path, rel)

- Add 60 req/min throttle to the public API group and a stricter 10 req/min
  throttle to POST /highscores.
- Replace mass-assigned $guarded=[] with explicit $fillable on User, Meetup,
  Course, Lecturer, and SelfHostedService. created_by stays out of the
  whitelist; the existing creating() hooks continue to populate it.
- Require authenticated user on Api/MeetupController::index instead of
  trusting the user_id query parameter (IDOR).
- Constrain the /img and /img-public route paths to a safe character set
  and reject any path containing ".." in ImageController.
- Add rel="noopener noreferrer" to every target="_blank" link on the meetup
  and course landing pages.

2026-05-03 12:55:09 +00:00

HolgerHatGarKeineNode

efe44cf344

✨ Add storage configuration, localization updates, and feed generation

- Added `publicDisk` configuration to `filesystems.php`.
- Expanded locale translations in `es.json` and `de.json`.
- Implemented RSS, Atom, and JSON feed views.
- Added `feed.php` configuration for feed generation.
- Introduced `ImageController` for image handling.
- Updated application routing to include `api.php`.

2025-11-21 16:23:55 +01:00

2 Commits